After my srx for beginners post has become the most popular article of this blog, I have decided to improve it a little bit as it is missing some vital information. Without talking too much let’s summarize what we will do in this post

What is a flow session?

How can we interpret a flow session entry?

How can we open a standard port/application on SRX and do destination NAT?

How can we open a non-standard port and do destination NAT?

How can we do proxy-arp?

In this post, we will use the same topology like previous post but I have added three new devices in this new topology so that I can show source/destination nat and proxy arp.

SRX for beginners topology

Let’s get started:

What is a flow session?

Juniper SRX is a stateful firewall hence box doesn’t forward an IP packet and forgets it. It has to remember which IP packets it has received and which packets it is expecting. It isn’t exactly like this but for the sake of simplicity let’s assume like this now. So what does a session look like on an SRX firewall. In order to show this from PC1 device, I telnet to TCP port 80 of www.example.com host which is outside my test network and see how the flow session looks like on our SRX firewall.

As you can see, we can display sessions by “show security flow session” command and by giving more options e.g destination-port you can filter session table.

How can we interpret a flow session entry?

Now let’s drill down this single flow session entry line by line.

Line 1

109 : Each session is given a session identifier by the firewall, here 109

allow-internal-clients/4 : Security which exactly matches this specific traffic and number 4 is the policy index.

294 : When a session is created it starts with default timeout and counts down to zero as long as no packet is seen. If it reaches 0 session is removed

Line 2

192.168.239.3/47715 : Source IP address/Port of the source host which created the session

93.184.216.34/80;tcp : Destination IP address/Port of the destination host and the transport layer protocol which is tcp here

ge-0/0/1.0 : The ingress interface of the packet

Pkts: 2, Bytes: 112 Number of packets and Bytes received on this direction

Line 3
A flow session has two wings and this one is the wing on the reverse direction.

93.184.216.34/80 : This is the same as our destination address

192.168.100.38/20201 : This is the address to which 93.184.216.34 replies back but it is different than our source IP address 192.168.239.3 since we are doing source NAT and port translation

ge-0/0/0.0 : Ingress interface of the return packets

Pkts: 1, Bytes: 60 : IP packet and Bytes received from the destination

How can we open a default/standard port/application on SRX and do destination NAT?

In the topology, we have a Web server and we would like to allow public HTTP service i.e anyone who types http://192.168.100.38 on their browser from Internet will be redirected to our internal web server i.e we will create a destination NAT rule and a security policy allowing this HTTP traffic.

Note: In order to forward traffic to the internal server, a pool is required

Security Policy
If you don’t permit the HTTP traffic in a security policy, destination NAT has no use.
On this setup I am moving from zone specific address groups to global addresses for which I am moving my old address book to global level and I am adding new address entry for webserver.

As you can see request for 192.168.100.38:80 is translated to 192.168.239.10:80 by SRX.

How can we open a non-standard port and do destination NAT?

Now we have a different requirement. There is an SMTP server which is listening on port default port 25 but we somehow want everyone to access this host on port 2025 instead of the default port. Now we will configure this scenario.

Note: You may be asking why do we use junos-smtp application which has port 25 instead of an application which has destination port 2025. The reason is that security policy processing is done after destination is processed hence when security policy does the match, port is already translated to 25 from 2025.

For example, if you were to redirect(port nat) 2025 port to another non-standard port e.g 2000 on this smtp server then you would have to create an application e.g named custom-smtp and permit this application on this policy.

How can we do proxy-arp?

According to our topology, we have only one WAN IP assigned to the external interface which is 192.168.100.38 but our ISP has given us a /24 block from which now we also would like to use IP address 192.168.100.100 for some services. However we don't want to assign this IP address to the external interface. The problem is that if you don't assign an IP to an interface, you don't respond to ARP requests for that IP. In order to solve this problem we need to configure proxy arp. To demonstrate this, we have a scenario. We have an application server IP of which is 192.168.239.12 in the internal network and application is running on TCP port 8080. We would like everyone on Internet to access this application via TCP port 80 i.e we will redirect TCP80 requests coming to 192.168.100.100 to the internal 192.168.239.12 TCP8080.

Related

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer.
// JNCIE-SEC #223 / RHCE / PCNSE

18 thoughts on “SRX for beginners #2”

If you have an public IP subnet and are going to use destination or static NAT don’t forget to set security > nat > proxy-arp for your addresses on the respective outgoing interface as long as you do not use the address of the SRX itself.

Hello Mr Author. Really appreciate you posting very valuable information on this blog. I follow your posts a lot and has really helped me learning SRX.

I have few items that I would like your suggestions on, I would really appreciate if you could help me compile a list of all tasks that can be automated in SRX5800.
– health checks that can be automated with some external tool
-configurations that can be deployed with automation tools.

Hello,
I am completely new with juniper product and I got an opportunity to get knowledge of srx220 due to my Cisco pix is malfunctioning since last 2 weeks, and it is going to be replaced by srx220. Will you please help me to configure that box. I am sending you the network diagram and config file of my pix-525. I think here is no any option to upload any jpg file so I am elaborating my network.

We are using 7 to 8 vlans in our network created in cisco 4510r catalyst switch which is connected with cisco pix through vlan 500 and default route configured in 4510r is the ip of pix inside ip which is 172.16.0.250 255.255.255.248. The pix is in between the 4510r and cisco router and i have no access of that router. That router is under ISP so I can’t change in that router. The outside ip of pix is 172.20.1.2/24 is directly connected to the router. Config of pix-525 are follows:

So will you please send me the configuration of that box which will be installed here. and I requests to you for make of post of this problem like your others posts which are very clearly understandable.

Just read it for accessing web server from outside case. Have one query how private IP address can be telnet or accessible from outside, Only Public IP address are rout able and accessible over internet, i thing something wrong in typing or i missed something. Please clarify me. Thanks

Thanks for the great pages. Your reminder to add the dhcp to the host allowed services seems so obvious now, but during troubleshooting was kicking my butt. Very good information. Drinks are on me if you are ever in the Washington DC area.

any article showing how can use application server (on private ip) as mention in above diagram running tomcat and SRX connected with internet …. i define static NAT , destination nat but its not working, my linux server running with public IP on other eth0 from where i can access it easily if i make default route to private IP eth1 connected to firewall and try to access firewall ip its not working